Configuration Server - Spring Cloud

CAS is able to use an external and central configuration server to obtain state and settings. The configuration server provides a very abstract way for CAS (and all of its other clients) to obtain settings from a variety of sources, such as file system, git or svn repositories, MongoDb databases, Vault, etc. The beauty of this solution is that to the CAS web application server, it matters not where settings come from and it has no knowledge of the underlying property sources. It talks to the configuration server to locate settings and move on.

Configuration Security

This is a very good strategy to ensure configuration settings are not scattered around various deployment environments leading to a more secure deployment. The configuration server need not be exposed to the outside world, and it can safely and secure be hidden behind firewalls, etc allowing access to only authorized clients such as the CAS server web application.

A full comprehensive guide is provided by the Spring Cloud project.

Spring Cloud Configuration Server Overlay

The configuration server itself, similar to CAS, can be deployed using the CAS Initializr.

1
2
3
4
5
<dependency>
  <groupId>org.apereo.cas</groupId>
  <artifactId>cas-server-webapp-config-server</artifactId>
  <version>${cas.version}</version>
</dependency>
1
implementation "org.apereo.cas:cas-server-webapp-config-server:${project.'cas.version'}"
1
2
3
4
5
6
7
8
9
dependencyManagement {
  imports {
    mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
  }
}

dependencies {  
  implementation "org.apereo.cas:cas-server-webapp-config-server"
}

In addition to the strategies outlined here, the configuration server may load CAS settings and properties via the following order and mechanics:

  1. Profile-specific application properties outside of your packaged web application (application-{profile}.properties|yml)
  2. Profile-specific application properties packaged inside your jar (application-{profile}.properties|yml)
  3. Application properties outside of your packaged jar (application.properties|yml).
  4. Application properties packaged inside your jar (application.properties|yml).

The configuration and behavior of the configuration server is also controlled by its own src/main/resources/bootstrap.properties file. By default, it runs under port 8888 at /casconfigserver inside an embedded Apache Tomcat server whose endpoints are protected with basic authentication where the default credentials are casuser and an auto-generated password defined in src/main/resources/application.properties.

Furthermore, by default it runs under a native profile described below.

The following endpoints are secured and exposed by the configuration server:

Parameter Description
/encrypt Accepts a POST to encrypt CAS configuration settings.
/decrypt Accepts a POST to decrypt CAS configuration settings.
/actuator/refresh Accepts a POST and attempts to refresh the internal state of configuration server.
/actuator/env Accepts a GET and describes all configuration sources of the configuration server.
/actuator/cas/default Describes what the configuration server knows about the default settings profile.
/actuator/cas/native Describes what the configuration server knows about the native settings profile.

Once you have the configuration server deployed and assuming the credentials used to secure the configuration server match the example below, you can observe the collection of settings via:

1
curl -u casuser:Mellon https://config.server.url:8888/casconfigserver/cas/native

Assuming actuator endpoints are enabled in the configuration, you can also observe the collection of property sources that provide settings to the configuration server:

1
curl -u casuser:Mellon https://config.server.url:8888/casconfigserver/actuator/env
Actuator Endpoints

Remember that actuator endpoints typically are prefixed with /actuator.

Actuator Endpoints

The following endpoints are provided by CAS:

Reports back general health status of the system, produced by various monitors.

HealthComponent

HealthEndpoint.health()

org.springframework.boot.actuate.health.HealthEndpoint

Reports back general health status of the system, produced by various monitors.

HealthComponent

HealthEndpoint.healthForPath(java.lang.String…)

org.springframework.boot.actuate.health.HealthEndpoint


The following settings and properties are available from the CAS configuration catalog:

The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.

The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value. You should only include this field in your configuration if you need to modify the default value.

The configuration settings listed below are tagged as Third Party in the CAS configuration metadata. This flag indicates that the configuration setting is not controlled, owned or managed by the CAS ecosystem, and affects functionality that is offered by a third-party library, such as Spring Boot or Spring Cloud to CAS. For additional info, you might have to visit the third-party source to find more details.

  • spring.cloud.config.server.health.repositories=
  • org.springframework.cloud.config.server.config.ConfigServerHealthIndicator.

    Configuration Metadata

    The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.

    Be Selective

    This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.

    YAGNI

    Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.

    Naming Convention

    Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those that might be presented to the system via an external library or framework such as Spring Boot, etc.

    When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value. The only possible exception to this rule is when naming actuator endpoints; The name of the actuator endpoints (i.e. ssoSessions) MUST remain in camelCase mode.

    Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the way you intend.

    Validation

    Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be recognized or validated by the configuration schema. The validation process is on by default and can be skipped on startup using a special system property SKIP_CONFIG_VALIDATION that should be set to true. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.

    Indexed Settings

    CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be incremented by the adopter to allow for distinct multiple configuration blocks.

    Spring Cloud Configuration Server Clients

    To let the CAS server web application (or any other client for that matter) talk to the configuration server, the following settings need to be applied to CAS’ own src/main/resources/bootstrap.properties file. The properties to configure the CAS server web application as the client of the configuration server must necessarily be read in before the rest of the application’s configuration is read from the configuration server, during the bootstrap phase.

    The following settings and properties are available from the CAS configuration catalog:

    The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.

    The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value. You should only include this field in your configuration if you need to modify the default value.

    The configuration settings listed below are tagged as Third Party in the CAS configuration metadata. This flag indicates that the configuration setting is not controlled, owned or managed by the CAS ecosystem, and affects functionality that is offered by a third-party library, such as Spring Boot or Spring Cloud to CAS. For additional info, you might have to visit the third-party source to find more details.

  • spring.cloud.config.allow-override=true
  • Flag to indicate that #isOverrideSystemProperties() systemPropertiesOverride can be used. Set to false to prevent users from changing the default accidentally. Default true.

    org.springframework.cloud.bootstrap.config.PropertySourceBootstrapProperties.

  • spring.cloud.config.discovery.enabled=false
  • Flag to indicate that config server discovery is enabled (config server URL will be looked up via discovery).

    org.springframework.cloud.config.client.ConfigClientProperties$Discovery.

  • spring.cloud.config.discovery.service-id=configserver
  • Service id to locate config server.

    org.springframework.cloud.config.client.ConfigClientProperties$Discovery.

  • spring.cloud.config.enabled=true
  • Flag to say that remote configuration is enabled. Default true;

    org.springframework.cloud.config.client.ConfigClientProperties.

  • spring.cloud.config.fail-fast=false
  • Flag to indicate that failure to connect to the server is fatal (default false).

    org.springframework.cloud.config.client.ConfigClientProperties.

  • spring.cloud.config.headers=
  • Additional headers used to create the client request.

    org.springframework.cloud.config.client.ConfigClientProperties.

  • spring.cloud.config.label=
  • The label name to use to pull remote configuration properties. The default is set on the server (generally "master" for a git based server).

    org.springframework.cloud.config.client.ConfigClientProperties.

  • spring.cloud.config.media-type=
  • The Accept header media type to send to config server.

    org.springframework.cloud.config.client.ConfigClientProperties.

  • spring.cloud.config.name=
  • Name of application used to fetch remote properties.

    org.springframework.cloud.config.client.ConfigClientProperties.

  • spring.cloud.config.override-none=false
  • Flag to indicate that when #setAllowOverride(boolean) allowOverride is true, external properties should take lowest priority and should not override any existing property sources (including local config files). Default false.

    org.springframework.cloud.bootstrap.config.PropertySourceBootstrapProperties.

  • spring.cloud.config.override-system-properties=true
  • Flag to indicate that the external properties should override system properties. Default true.

    org.springframework.cloud.bootstrap.config.PropertySourceBootstrapProperties.

  • spring.cloud.config.password=
  • The password to use (HTTP Basic) when contacting the remote server.

    org.springframework.cloud.config.client.ConfigClientProperties.

  • spring.cloud.config.profile=default
  • The default profile to use when fetching remote configuration (comma-separated). Default is "default".

    org.springframework.cloud.config.client.ConfigClientProperties.

  • spring.cloud.config.request-connect-timeout=0
  • timeout on waiting to connect to the Config Server.

    org.springframework.cloud.config.client.ConfigClientProperties.

  • spring.cloud.config.request-read-timeout=0
  • timeout on waiting to read data from the Config Server.

    org.springframework.cloud.config.client.ConfigClientProperties.

  • spring.cloud.config.retry.initial-interval=1000
  • Initial retry interval in milliseconds.

    org.springframework.cloud.config.client.RetryProperties.

  • spring.cloud.config.retry.max-attempts=6
  • Maximum number of attempts.

    org.springframework.cloud.config.client.RetryProperties.

  • spring.cloud.config.retry.max-interval=2000
  • Maximum interval for backoff.

    org.springframework.cloud.config.client.RetryProperties.

  • spring.cloud.config.retry.multiplier=1.1
  • Multiplier for next interval.

    org.springframework.cloud.config.client.RetryProperties.

  • spring.cloud.config.send-state=true
  • Flag to indicate whether to send state. Default true.

    org.springframework.cloud.config.client.ConfigClientProperties.

  • spring.cloud.config.server.accept-empty=true
  • Flag to indicate that If HTTP 404 needs to be sent if Application is not Found.

    org.springframework.cloud.config.server.config.ConfigServerProperties.

  • spring.cloud.config.server.aws-secretsmanager.endpoint=
  • The endpoint to be used by AWS Secrets Manager client. This can be used to specify an alternate endpoint for the API requests.

    org.springframework.cloud.config.server.environment.AwsSecretsManagerEnvironmentProperties.

  • spring.cloud.config.server.aws-secretsmanager.order=
  • The order of the environment repository.

    org.springframework.cloud.config.server.environment.AwsSecretsManagerEnvironmentProperties.

  • spring.cloud.config.server.aws-secretsmanager.origin=aws:secrets:
  • Prefix which indicates the origin of the property. Defaults to "aws:secrets:".

    org.springframework.cloud.config.server.environment.AwsSecretsManagerEnvironmentProperties.

  • spring.cloud.config.server.aws-secretsmanager.prefix=
  • Prefix indicating first level for every property loaded from AWS Secrets Manager. Value must start with a forward slash followed by a valid path segment or be empty. Defaults to "/secret".

    org.springframework.cloud.config.server.environment.AwsSecretsManagerEnvironmentProperties.

  • spring.cloud.config.server.aws-secretsmanager.profile-separator=-
  • String that separates profile from the application name.

    org.springframework.cloud.config.server.environment.AwsSecretsManagerEnvironmentProperties.

  • spring.cloud.config.server.aws-secretsmanager.region=
  • The region to be used by AWS Secrets Manager client.

    org.springframework.cloud.config.server.environment.AwsSecretsManagerEnvironmentProperties.

  • spring.cloud.config.server.awsparamstore.decrypt-values=true
  • Flag to indicate the retrieval of all AWS parameters in a hierarchy with their value decrypted. Defaults to "true".

    org.springframework.cloud.config.server.environment.AwsParameterStoreEnvironmentProperties.

  • spring.cloud.config.server.awsparamstore.endpoint=
  • The service endpoint to be used by the AWS Parameter Store client.

    org.springframework.cloud.config.server.environment.AwsParameterStoreEnvironmentProperties.

  • spring.cloud.config.server.awsparamstore.max-results=10
  • The maximum number of items to return for an AWS Parameter Store API call. Defaults to "10".

    org.springframework.cloud.config.server.environment.AwsParameterStoreEnvironmentProperties.

  • spring.cloud.config.server.awsparamstore.order=
  • The order of the environment repository.

    org.springframework.cloud.config.server.environment.AwsParameterStoreEnvironmentProperties.

  • spring.cloud.config.server.awsparamstore.origin=aws:ssm:parameter:
  • Prefix indicating the property's origin. Defaults to "aws:ssm:parameter:".

    org.springframework.cloud.config.server.environment.AwsParameterStoreEnvironmentProperties.

  • spring.cloud.config.server.awsparamstore.prefix=
  • Prefix indicating first level for every property loaded from the AWS Parameter Store. Value must start with a forward slash followed by one or more valid path segments or be empty. Defaults to "/config".

    org.springframework.cloud.config.server.environment.AwsParameterStoreEnvironmentProperties.

  • spring.cloud.config.server.awsparamstore.profile-separator=-
  • String that separates an appended profile from the context name. Note that an AWS parameter name can only contain dots, dashes and underscores next to alphanumeric characters. Defaults to "-".

    org.springframework.cloud.config.server.environment.AwsParameterStoreEnvironmentProperties.

  • spring.cloud.config.server.awsparamstore.recursive=true
  • Flag to indicate the retrieval of all AWS parameters within a hierarchy. Defaults to "true".

    org.springframework.cloud.config.server.environment.AwsParameterStoreEnvironmentProperties.

  • spring.cloud.config.server.awsparamstore.region=
  • The region to be used by the AWS Parameter Store client.

    org.springframework.cloud.config.server.environment.AwsParameterStoreEnvironmentProperties.

  • spring.cloud.config.server.awss3.bucket=
  • Name of the S3 bucket that contains config.

    org.springframework.cloud.config.server.environment.AwsS3EnvironmentProperties.

  • spring.cloud.config.server.awss3.order=0
  • org.springframework.cloud.config.server.environment.AwsS3EnvironmentProperties.

  • spring.cloud.config.server.awss3.region=
  • AWS region that contains config.

    org.springframework.cloud.config.server.environment.AwsS3EnvironmentProperties.

  • spring.cloud.config.server.bootstrap=false
  • Flag indicating that the config server should initialize its own Environment with properties from the remote repository. Off by default because it delays startup but can be useful when embedding the server in another application.

    org.springframework.cloud.config.server.config.ConfigServerProperties.

  • spring.cloud.config.server.credhub.ca-cert-files=
  • org.springframework.credhub.support.ClientOptions.

  • spring.cloud.config.server.credhub.connection-timeout=
  • org.springframework.credhub.support.ClientOptions.

  • spring.cloud.config.server.credhub.oauth2.registration-id=
  • org.springframework.credhub.core.CredHubProperties$OAuth2.

  • spring.cloud.config.server.credhub.order=
  • org.springframework.cloud.config.server.environment.CredhubEnvironmentProperties.

  • spring.cloud.config.server.credhub.read-timeout=
  • org.springframework.credhub.support.ClientOptions.

  • spring.cloud.config.server.credhub.url=
  • org.springframework.credhub.core.CredHubProperties.

  • spring.cloud.config.server.default-application-name=application
  • Default application name when incoming requests do not have a specific one.

    org.springframework.cloud.config.server.config.ConfigServerProperties.

  • spring.cloud.config.server.default-label=
  • Default repository label when incoming requests do not have a specific label.

    org.springframework.cloud.config.server.config.ConfigServerProperties.

  • spring.cloud.config.server.default-profile=default
  • Default application profile when incoming requests do not have a specific one.

    org.springframework.cloud.config.server.config.ConfigServerProperties.

  • spring.cloud.config.server.enabled=true
  • Flag indicating config server is enabled.

    org.springframework.cloud.config.server.config.ConfigServerProperties.

  • spring.cloud.config.server.encrypt.enabled=true
  • Enable decryption of environment properties before sending to client.

    org.springframework.cloud.config.server.config.ConfigServerProperties$Encrypt.

  • spring.cloud.config.server.encrypt.plain-text-encrypt=false
  • Enable decryption of environment properties served by plain text endpoint org.springframework.cloud.config.server.resource.ResourceController.

    org.springframework.cloud.config.server.config.ConfigServerProperties$Encrypt.

  • spring.cloud.config.server.fail-on-composite-error=true
  • Flag indicating that if there are any errors reading properties from a subordinate environment repository in a composite environment repository, then the entire composite read should fail. Useful when set to false when a Vault repository is in the composite to allow clients to still read properties from other repositories without providing a valid Vault token. Defaults to true, resulting in a failure on any error.

    org.springframework.cloud.config.server.config.ConfigServerProperties.

  • spring.cloud.config.server.gcp-secret-manager.application-label=application
  • org.springframework.cloud.config.server.environment.GoogleSecretManagerEnvironmentProperties.

  • spring.cloud.config.server.gcp-secret-manager.order=
  • org.springframework.cloud.config.server.environment.GoogleSecretManagerEnvironmentProperties.

  • spring.cloud.config.server.gcp-secret-manager.profile-label=profile
  • org.springframework.cloud.config.server.environment.GoogleSecretManagerEnvironmentProperties.

  • spring.cloud.config.server.gcp-secret-manager.service-account=
  • org.springframework.cloud.config.server.environment.GoogleSecretManagerEnvironmentProperties.

  • spring.cloud.config.server.gcp-secret-manager.token-mandatory=true
  • org.springframework.cloud.config.server.environment.GoogleSecretManagerEnvironmentProperties.

  • spring.cloud.config.server.gcp-secret-manager.version=1
  • org.springframework.cloud.config.server.environment.GoogleSecretManagerEnvironmentProperties.

  • spring.cloud.config.server.git.basedir=
  • Base directory for local working copy of repository.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.clone-on-start=false
  • Flag to indicate that the repository should be cloned on startup (not on demand). Generally leads to slower startup but faster first query.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.clone-submodules=false
  • Flag to indicate that the submodules in the repository should be cloned.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.default-label=
  • The default label to be used with the remote repository.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.delete-untracked-branches=false
  • Flag to indicate that the branch should be deleted locally if it's origin tracked branch was removed.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.force-pull=false
  • Flag to indicate that the repository should force pull. If true discard any local changes and take from remote repository.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.host-key=
  • Valid SSH host key. Must be set if hostKeyAlgorithm is also set.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.host-key-algorithm=
  • One of ssh-dss, ssh-rsa, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, or ecdsa-sha2-nistp521. Must be set if hostKey is also set.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.ignore-local-ssh-settings=false
  • If true, use property-based instead of file-based SSH config.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.known-hosts-file=
  • Location of custom .known_hosts file.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.order=
  • The order of the environment repository.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.passphrase=
  • Passphrase for unlocking your ssh private key.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.password=
  • Password for authentication with remote repository.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.preferred-authentications=
  • Override server authentication method order. This should allow for evading login prompts if server has keyboard-interactive authentication before the publickey method.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.private-key=
  • Valid SSH private key. Must be set if ignoreLocalSshSettings is true and Git URI is SSH format.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.proxy=
  • HTTP proxy configuration.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.refresh-rate=0
  • Time (in seconds) between refresh of the git repository.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.repos=
  • Map of repository identifier to location and other properties.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.search-paths=
  • Search paths to use within local working copy. By default searches only the root.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.skip-ssl-validation=false
  • Flag to indicate that SSL certificate validation should be bypassed when communicating with a repository served over an HTTPS connection.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.strict-host-key-checking=true
  • If false, ignore errors with host key.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.timeout=5
  • Timeout (in seconds) for obtaining HTTP or SSH connection (if applicable), defaults to 5 seconds.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.try-master-branch=true
  • To maintain compatibility we will try the master branch in addition to main when we try to fetch the default branch.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.uri=
  • URI of remote repository.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.git.username=
  • Username for authentication with remote repository.

    org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties.

  • spring.cloud.config.server.health.repositories=
  • org.springframework.cloud.config.server.config.ConfigServerHealthIndicator.

  • spring.cloud.config.server.jdbc.enabled=true
  • Flag to indicate that JDBC environment repository configuration is enabled.

    org.springframework.cloud.config.server.environment.JdbcEnvironmentProperties.

  • spring.cloud.config.server.jdbc.fail-on-error=true
  • Flag to determine how to handle query exceptions.

    org.springframework.cloud.config.server.environment.JdbcEnvironmentProperties.

  • spring.cloud.config.server.jdbc.order=0
  • org.springframework.cloud.config.server.environment.JdbcEnvironmentProperties.

  • spring.cloud.config.server.jdbc.sql=SELECT "KEY", "VALUE" from PROPERTIES where APPLICATION=? and PROFILE=? and LABEL=?
  • SQL used to query database for keys and values.

    org.springframework.cloud.config.server.environment.JdbcEnvironmentProperties.

  • spring.cloud.config.server.native.add-label-locations=true
  • Flag to determine whether label locations should be added.

    org.springframework.cloud.config.server.environment.NativeEnvironmentProperties.

  • spring.cloud.config.server.native.default-label=master
  • org.springframework.cloud.config.server.environment.NativeEnvironmentProperties.

  • spring.cloud.config.server.native.fail-on-error=false
  • Flag to determine how to handle exceptions during decryption (default false).

    org.springframework.cloud.config.server.environment.NativeEnvironmentProperties.

  • spring.cloud.config.server.native.order=
  • org.springframework.cloud.config.server.environment.NativeEnvironmentProperties.

  • spring.cloud.config.server.native.search-locations=
  • Locations to search for configuration files. Defaults to the same as a Spring Boot app so [classpath:/,classpath:/config/,file:./,file:./config/].

    org.springframework.cloud.config.server.environment.NativeEnvironmentProperties.

  • spring.cloud.config.server.native.version=
  • Version string to be reported for native repository.

    org.springframework.cloud.config.server.environment.NativeEnvironmentProperties.

  • spring.cloud.config.server.overrides=
  • Extra map for a property source to be sent to all clients unconditionally.

    org.springframework.cloud.config.server.config.ConfigServerProperties.

  • spring.cloud.config.server.prefix=
  • Prefix for configuration resource paths (default is empty). Useful when embedding in another application when you don't want to change the context path or servlet path.

    org.springframework.cloud.config.server.config.ConfigServerProperties.

  • spring.cloud.config.server.redis.order=
  • org.springframework.cloud.config.server.environment.RedisEnvironmentProperties.

  • spring.cloud.config.server.strip-document-from-yaml=true
  • Flag to indicate that YAML documents that are text or collections (not a map) should be returned in "native" form.

    org.springframework.cloud.config.server.config.ConfigServerProperties.

  • spring.cloud.config.server.svn.basedir=
  • Base directory for local working copy of repository.

    org.springframework.cloud.config.server.environment.SvnKitEnvironmentProperties.

  • spring.cloud.config.server.svn.default-label=
  • The default label to be used with the remote repository.

    org.springframework.cloud.config.server.environment.SvnKitEnvironmentProperties.

  • spring.cloud.config.server.svn.order=
  • The order of the environment repository.

    org.springframework.cloud.config.server.environment.SvnKitEnvironmentProperties.

  • spring.cloud.config.server.svn.passphrase=
  • Passphrase for unlocking your ssh private key.

    org.springframework.cloud.config.server.environment.SvnKitEnvironmentProperties.

  • spring.cloud.config.server.svn.password=
  • Password for authentication with remote repository.

    org.springframework.cloud.config.server.environment.SvnKitEnvironmentProperties.

  • spring.cloud.config.server.svn.search-paths=
  • Search paths to use within local working copy. By default searches only the root.

    org.springframework.cloud.config.server.environment.SvnKitEnvironmentProperties.

  • spring.cloud.config.server.svn.strict-host-key-checking=true
  • Reject incoming SSH host keys from remote servers not in the known host list.

    org.springframework.cloud.config.server.environment.SvnKitEnvironmentProperties.

  • spring.cloud.config.server.svn.uri=
  • URI of remote repository.

    org.springframework.cloud.config.server.environment.SvnKitEnvironmentProperties.

  • spring.cloud.config.server.svn.username=
  • Username for authentication with remote repository.

    org.springframework.cloud.config.server.environment.SvnKitEnvironmentProperties.

  • spring.cloud.config.server.vault.app-role.app-role-path=approle
  • Mount path of the AppRole authentication backend.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$AppRoleProperties.

  • spring.cloud.config.server.vault.app-role.role=
  • Name of the role, optional, used for pull-mode.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$AppRoleProperties.

  • spring.cloud.config.server.vault.app-role.role-id=
  • The RoleId.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$AppRoleProperties.

  • spring.cloud.config.server.vault.app-role.secret-id=
  • The SecretId.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$AppRoleProperties.

  • spring.cloud.config.server.vault.authentication=
  • org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.

  • spring.cloud.config.server.vault.aws-ec2.aws-ec2-path=aws-ec2
  • Mount path of the AWS-EC2 authentication backend.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$AwsEc2Properties.

  • spring.cloud.config.server.vault.aws-ec2.identity-document=http://169.254.169.254/latest/dynamic/instance-identity/pkcs7
  • URL of the AWS-EC2 PKCS7 identity document.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$AwsEc2Properties.

  • spring.cloud.config.server.vault.aws-ec2.nonce=
  • Nonce used for AWS-EC2 authentication. An empty nonce defaults to nonce generation.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$AwsEc2Properties.

  • spring.cloud.config.server.vault.aws-ec2.role=
  • Name of the role, optional.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$AwsEc2Properties.

  • spring.cloud.config.server.vault.aws-iam.aws-path=aws
  • Mount path of the AWS authentication backend.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$AwsIamProperties.

  • spring.cloud.config.server.vault.aws-iam.endpoint-uri=
  • STS server URI. @since 2.2

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$AwsIamProperties.

  • spring.cloud.config.server.vault.aws-iam.role=
  • Name of the role, optional. Defaults to the friendly IAM name if not set.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$AwsIamProperties.

  • spring.cloud.config.server.vault.aws-iam.server-name=
  • Name of the server used to set X-Vault-AWS-IAM-Server-ID header in the headers of login requests.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$AwsIamProperties.

  • spring.cloud.config.server.vault.azure-msi.azure-path=azure
  • Mount path of the Azure MSI authentication backend.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$AzureMsiProperties.

  • spring.cloud.config.server.vault.azure-msi.identity-token-service=
  • URI to the Azure MSI Identity Service.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$AzureMsiProperties.

  • spring.cloud.config.server.vault.azure-msi.metadata-service=
  • URI to the Azure MSI Metadata Service.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$AzureMsiProperties.

  • spring.cloud.config.server.vault.azure-msi.role=
  • Name of the role.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$AzureMsiProperties.

  • spring.cloud.config.server.vault.backend=secret
  • Vault backend. Defaults to secret.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.

  • spring.cloud.config.server.vault.default-key=application
  • The key in vault shared by all applications. Defaults to application. Set to empty to disable.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.

  • spring.cloud.config.server.vault.gcp-gce.gcp-path=gcp
  • Mount path of the Kubernetes authentication backend.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$GcpGceProperties.

  • spring.cloud.config.server.vault.gcp-gce.role=
  • Name of the role against which the login is being attempted.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$GcpGceProperties.

  • spring.cloud.config.server.vault.gcp-gce.service-account=
  • Optional service account id. Using the default id if left unconfigured.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$GcpGceProperties.

  • spring.cloud.config.server.vault.gcp-iam.credentials.encoded-key=
  • The base64 encoded contents of an OAuth2 account private key in JSON format.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$GcpCredentials.

  • spring.cloud.config.server.vault.gcp-iam.credentials.location=
  • Location of the OAuth2 credentials private key.

    Since this is a Resource, the private key can be in a multitude of locations, such as a local file system, classpath, URL, etc.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$GcpCredentials.

  • spring.cloud.config.server.vault.gcp-iam.gcp-path=gcp
  • Mount path of the Kubernetes authentication backend.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$GcpIamProperties.

  • spring.cloud.config.server.vault.gcp-iam.jwt-validity=15m
  • Validity of the JWT token.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$GcpIamProperties.

  • spring.cloud.config.server.vault.gcp-iam.project-id=
  • Overrides the GCP project Id.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$GcpIamProperties.

  • spring.cloud.config.server.vault.gcp-iam.role=
  • Name of the role against which the login is being attempted.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$GcpIamProperties.

  • spring.cloud.config.server.vault.gcp-iam.service-account-id=
  • Overrides the GCP service account Id.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$GcpIamProperties.

  • spring.cloud.config.server.vault.host=127.0.0.1
  • Vault host. Defaults to 127.0.0.1.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.

  • spring.cloud.config.server.vault.kubernetes.kubernetes-path=kubernetes
  • Mount path of the Kubernetes authentication backend.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$KubernetesProperties.

  • spring.cloud.config.server.vault.kubernetes.role=
  • Name of the role against which the login is being attempted.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$KubernetesProperties.

  • spring.cloud.config.server.vault.kubernetes.service-account-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token
  • Path to the service account token file.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$KubernetesProperties.

  • spring.cloud.config.server.vault.kv-version=1
  • Value to indicate which version of Vault kv backend is used. Defaults to 1.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.

  • spring.cloud.config.server.vault.namespace=
  • The value of the Vault X-Vault-Namespace header. Defaults to null. This a Vault Enterprise feature only.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.

  • spring.cloud.config.server.vault.order=
  • org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.

  • spring.cloud.config.server.vault.path-to-key=
  • KV2 API required "data" after "mount-path". There could be folder/path structure, where the keys/applications are grouped. This property is the path after mount-path, under which application(s) are located (appended after "data") Default value is blank, which means all grouped applications are located right under the mount-path

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.

  • spring.cloud.config.server.vault.pcf.instance-certificate=
  • Path to the instance certificate (PEM). Defaults to CF_INSTANCE_CERT env variable.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$PcfProperties.

  • spring.cloud.config.server.vault.pcf.instance-key=
  • Path to the instance key (PEM). Defaults to CF_INSTANCE_KEY env variable.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$PcfProperties.

  • spring.cloud.config.server.vault.pcf.pcf-path=pcf
  • Mount path of the Kubernetes authentication backend.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$PcfProperties.

  • spring.cloud.config.server.vault.pcf.role=
  • Name of the role against which the login is being attempted.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$PcfProperties.

  • spring.cloud.config.server.vault.port=8200
  • Vault port. Defaults to 8200.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.

  • spring.cloud.config.server.vault.profile-separator=,
  • Vault profile separator. Defaults to comma.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.

  • spring.cloud.config.server.vault.proxy=
  • HTTP proxy configuration.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.

  • spring.cloud.config.server.vault.scheme=http
  • Vault scheme. Defaults to http.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.

  • spring.cloud.config.server.vault.skip-ssl-validation=false
  • Flag to indicate that SSL certificate validation should be bypassed when communicating with a repository served over an HTTPS connection.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.

  • spring.cloud.config.server.vault.ssl.cert-auth-path=cert
  • Mount path of the TLS cert authentication backend.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$Ssl.

  • spring.cloud.config.server.vault.ssl.key-store=
  • Trust store that holds certificates and private keys.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$Ssl.

  • spring.cloud.config.server.vault.ssl.key-store-password=
  • Password used to access the key store.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$Ssl.

  • spring.cloud.config.server.vault.ssl.trust-store=
  • Trust store that holds SSL certificates.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$Ssl.

  • spring.cloud.config.server.vault.ssl.trust-store-password=
  • Password used to access the trust store.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties$Ssl.

  • spring.cloud.config.server.vault.timeout=5
  • Timeout (in seconds) for obtaining HTTP connection, defaults to 5 seconds.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.

  • spring.cloud.config.server.vault.token=
  • Static vault token. Required if #authentication is TOKEN.

    org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.

  • spring.cloud.config.tls=
  • TLS properties.

    org.springframework.cloud.config.client.ConfigClientProperties.

  • spring.cloud.config.token=
  • Security Token passed thru to underlying environment repository.

    org.springframework.cloud.config.client.ConfigClientProperties.

  • spring.cloud.config.uri=http://localhost:8888
  • The URI of the remote server (default http://localhost:8888).

    org.springframework.cloud.config.client.ConfigClientProperties.

  • spring.cloud.config.username=
  • The username to use (HTTP Basic) when contacting the remote server.

    org.springframework.cloud.config.client.ConfigClientProperties.

    Configuration Metadata

    The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.

    Be Selective

    This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.

    YAGNI

    Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.

    Naming Convention

    Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those that might be presented to the system via an external library or framework such as Spring Boot, etc.

    When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value. The only possible exception to this rule is when naming actuator endpoints; The name of the actuator endpoints (i.e. ssoSessions) MUST remain in camelCase mode.

    Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the way you intend.

    Validation

    Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be recognized or validated by the configuration schema. The validation process is on by default and can be skipped on startup using a special system property SKIP_CONFIG_VALIDATION that should be set to true. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.

    Indexed Settings

    CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be incremented by the adopter to allow for distinct multiple configuration blocks.

    Remember that configuration server serves property sources from /{name}/{profile}/{label} to applications, where the default bindings in the client app are the following:

    1
    2
    3
    
    "name" = ${spring.application.name}
    "profile" = ${spring.profiles.active}
    "label" = "master"
    

    All of them can be overridden by setting spring.cloud.config.* (where * is name, profile or label). The “label” is useful for rolling back to previous versions of configuration; with the default Config Server implementation it can be a git label, branch name or commit id. Label can also be provided as a comma-separated list, in which case the items in the list are tried on-by-one until one succeeds. This can be useful when working on a feature branch, for instance, when you might want to align the config label with your branch, but make it optional (e.g. spring.cloud.config.label=myfeature,develop).

    To lean more about how CAS allows you to reload configuration changes, please review this guide.

    Spring Cloud Configuration Server Sources

    Various configuration profiles exist to determine how configuration server should retrieve properties and settings.

    The cloud configuration modules provided above may also be used verbatim inside a CAS server overlay. Remember that the primary objective for these modules is to retrieve settings and properties from a source. While they are mostly and primarily useful when activated inside the Spring Cloud Configuration server and can be set to honor profiles and such, they nonetheless may also be used inside a CAS server overlay directly to fetch settings from a source while running in standalone mode. In such scenarios, all sources of configuration regardless of format or syntax will work alongside each other to retrieve settings and you can certainly mix and match as you see fit.

    Spring Cloud Configuration Server Composite Sources

    In some scenarios you may wish to pull configuration data from multiple environment repositories. To do this just enable multiple profiles in your configuration server’s application properties or YAML file. If, for example, you want to pull configuration data from a Git repository as well as a SVN repository you would set the following properties for your configuration server.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    
    spring:
      profiles:
        active: git, svn
      cloud:
        config:
          server:
            svn:
              uri: file:///path/to/svn/repo
              order: 2
            git:
              uri: file:///path/to/git/repo
              order: 1
    

    In addition to each repo specifying a URI, you can also specify an order property. The order property allows you to specify the priority order for all your repositories. The lower the numerical value of the order property the higher priority it will have. The priority order of a repository will help resolve any potential conflicts between repositories that contain values for the same properties.

    Spring Cloud Configuration Server Property Overrides

    The configuration server has an “overrides” feature that allows the operator to provide configuration properties to all applications that cannot be accidentally changed by the application using the normal change events and hooks. To declare overrides add a map of name-value pairs to spring.cloud.config.server.overrides.

    For example:

    1
    2
    3
    4
    5
    6
    
    spring:
      cloud:
        config:
          server:
            overrides:
              foo: bar
    

    This will cause the CAS server (as the client of the configuration server) to read foo=bar independent of its own configuration.